designed to function as web app svr.
Other roles not supported. Does not support higher
powered
hw configs of other versions of win2008 svr.

x86 32-bit ver - 4G mem max, up to 4 procs
in SMP config.

x64 64-bit ver - 32G mem max, up to 4 procs in SMP
config.

Itanium

Designed
for Intel Itanium 64-bit proc. Only addition that can be
installed on Itanium-based computer, requires Itanium 2 processor.
App and Web svr are supoprted. Virt and Windows
Deployment
Services are not available.

2TB mem max, up to 64 procs in SMP config.

HyperV will only run on x64 versions of OS.

Server Core

Any of the Versions can be installed as Server Core.

Stripped-down
version, no desktop.

Administered from command-line, and/or MMC.

Can RDP to server, but must use command shell/line.

Reduced attack surface.

Lower hardware requirements for fewer installed components.

Does notsupportPowerShell commands directly (can be run
remotely against a Core install via WMI). It is possible to
run Script Host scripts.

Can run regedit
and Notepad.
Can also invoke Date Control Panel (control
timedate.cpl) and
International Settings Control Panel (control
intl.cpl).

oclist.exe -
lists all server roles installed and available for install

AD Cert Svcs, AD Federation Svcs, Windows Deployment Svcs
not available in initial release but may in later SP.

Windows 2003 cannot be updated to Server Core.

Installing 2008

You can put in product key early in install process to
determine what version of OS you are

Consider waiting to activate in case you need additional
memory or hardware. You have 30-day activation grace period.

You can install from DVD,
PXE (Automated Server
Deployment) install, or using a Windows Preinstallation
Environment (Windows PE),
and use OS sys files on network share to
perform a network
installation. Windows PE is a free tool that you
can download from Microsoft. http://technet.microsoft.com/en-us/windowsvista/aa905120.aspx
.

Installs normally com without Hyper-V. Hyper-V
can be installed, but install files must be downloaded from Microsoft.

Upgrading from 2003

No cheaper upgrade version of 2008 is available.

Must be initiated from within 2003 SP1 or later (or 2003
R2) (not from install media).

All versions of 2003 go to similar named versions of 2008
accept 2003 Standard that can go to 2008 Standard or Enterprise.

x32 must go to x32. x64 must go to x64.

It is possible to install 2008 to a separate partition.

Make sure to do full backup before upgrade or fresh
installation.

Compatability check is run prior to initiating upgrade
process.

Choose to upgrade when a significant amount of
customization is required post-upgrade/install that can not be done by
simply restoring backed-up data.

Advised that you disable BitLocker during maintenance that
will update startup components. Otherwise you need to recover
with 48-character password that is generated during Bitlocker setup.
pw is stored separately or directly to AD (recommended for
Enterprise environments).

Without TPM (and TCG compatible BIOS), key is stored on
removable USB memory that has
to be present and supported by BIOS each time computer starts up.

Bitlocker Volume Config

You need create separate 1.5GB partition, and format it
before installing 2008 OS that might
need bitlocker in the future. If you have to install
bitlocker in future without doing this, will take many hours of
reconfig work.

Group Policy commands (general)

gpupdate /force - forces
group policy updates to replicate/replication to all AD servers

Quick commands

net start telnet (start the telnet server)net stop telnet

Promoting server to domain controller

dcpromo - copies files
necessary before promoting to DC.

Automated Server Deployment

Answer Files

Windows
System Image Manager (SIM) included in the Windows Automated
Installation Kit (Windows AIK or WAIK), can create the XML file
(usually autounattended.xml).
The file can be saved any any accessible volume (including
USB) during installation. Install will look for it...

\Sources\install.wim
file in windows install media has all the settings for an install.
Should be able to open this with Windows SIM. If
you're
going to modify, copy to a temp directory.

To modify, right click on the
Components or Package
in the Windows Image section, and select Add
Setting to Pass x yyyyy to be able to edit.
(Double click on the element in the Credentials/Settings
section.

Windows PE
can be used to link to a share and run setup.exe
/unattend:x:\autounattended.xml.

Windows Deployment Services

WDS

A role that can be added to 2008 svr to allow remote
deployment of Windows OSes.

Needs PXE network card (or could use other method such as
WIndows PE).

client has to be authorized

multicast has to be configured on network (so multiple
PCs can be installed simultaneously)

autoattended.xml
on WDS server will allow update with no prompts from admin/installer.

WDS needs to be installed on computer in AD domain.
DNS server is required.

Authorized DHCP svr needs to be present on network.
If DHCP svr is
on WDS svr, configure WDS
svr to not listen on
port 67. Also make sure to add option tag 60 for DHCP,
so PXE clients can detect presence of WDS server.

NTFS partition needs to be available to store OS images.

Cannot be run on Server Core install.

Configured by WDS Config Wizard orWDSUtil.exe.

Configuring

You can configure theautoattended.xml
filename in theclient
tab.

Multicast ranges,ports, and bandwidth used
configured in the Network Settings
tab.

Key Mgmt Svcs
(KMS) - KMS is installed on local server, and computers in environment
connect to that computer to perform activation. Recommended
to
have 2 KMS svrs deployed, with one acting as backup. KMS
requires
at least 25 computers, and reconnect to the KMS server every 180 days.

If
you have no Internet connectivity (MAK), and less than 25 computers
(KMS), than you will need to activate each system over the telephone.

Rollback

During
2008 installation, once a successful login has occured, you cannot
rollback. At this point, the only rollback is reformat, and
restore 2003 backups you took.

IPv6 addresses

8 16-bit boundaries (double bytes or words)XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
21cd:0053:0000:0000:03ad:003f:af37:8d62
is the same as
21cd:53:0:0:3ad:3f:af37:8d62 (leading zeros removed)
is the same as
21cd:53::3ad:3f:af37:8d62 (contiguous zeros replaced with 2 colons - can only be used once in addr)

ff06::2 is the same as ff06:0:0:0:0:0:0:2

NOTE: Site ID is %1 or %2 or whatever # after address. ???
NOTE: Zone ID is %1 or %2 or whatever # after addr, but with
???

AD add-ons

RODCs

Might do it for remote office that needs to logon to domain
but doesn't have trusted IT staff to manage domain.

Might also do it for application that needs to be on DC
with admin to manage application, but not domain.

Good for remote locations relatively few users or no IT
knowledge, inadequate phys securty, low net bw, etc.

User
logins first time requires validation across WAN. After that
RODC
pulls user credentials so that further logons by same user are
validated locally. Have to permit this in domain pw
replication
policy with respect to RODC (against computer account name in
(writable)DC).

export settings to answer file to use as template for
subsequent installs or uninstalls. Password will have to
manually put into file (won't be automatically saved) - recommended to
put password=* in answer
file, and let wizard prompt you for
credentials.

wizard
will let you force demotion of DC started in Dir Svcs Restore Mode.

You can delegate RODC install, by creating RODC account
and delegate install and admin of the RODC to a user or security group.
RODC delegated
install and admin users can:

create RODC by running dcpromo
/UseExistingAccount:Attach, and can administer RODC without requiring
admin rights to rest of domain or forest.

ADSites
and Svcs snap-in includes a Find command on toolbar and
action menu, to discover site in which DC is placed. Can help
you troubleshoot replication probs.

Password repl policy page for RODC can set thes settings

advanced button on RODC computer account can see what pws
have been sent or are stored on rodc oand what accounts have
authenticated.

Fine-grained security policies

password policies can be customized for diff users or
groups. Don't need to be in diff domain.

fine-grained sec policies only work with AD at 2008 level
(or higher).

can only be applied to user objs or global sec grps (or
inetOrgPerson objects).

For pws to apply to computers, usee techniques such as pw
filters. fine-grained pw policies do not interfere.

Restartable AD DS

AD DS data mining tool

deleted AD DS or AD LDS data can be preserved in snapshots
of AD DS taken by Volume ShadowCopy Service VSS). LDAP tools
such as ldp.exe can view
read-only data in snapshots. Does
not recover deleted objects and containers- recovery is subsequent
step. To recover:

set up snapshop as LDAP svr using dsamain.exe.

browse with ldp.exe

note OUs or objects you want to restore and record attrs
and back-links.

Reanimate
objects using tombstone reanimation feature, and manually re-populate
them with stripped attrs and back-links as IDed insnapshots.
Data mining tool lets you do this without restarting DC in DS
mode.

Be careful with security (e.g.if hacker gets
copy of AD DS snapshot).

ntdsutil.exe
can be used to take regular snapshots of volume containing AD DS
database.

AD DS Auditing (expanded)

prior to 2008 you could only set whether DS access was
audited. Now you can also audit

Infrastructure
master - responsible for updating references from objects in its domain
to objects in another domain. 1/domain. Change it from
(right-click) MMC Active Directory Users and Computers/<domain>.

You
need to create the cetnral store locations manually. They
will be
replicated to all DCs using Distribruted File System Replication
(DFSR). All admins that edit domain-based GPOs can access
same
set of ADMX files.

.admx files modify the registry. test
before deploying on production network. test with sample
files
that do not affect registry until you are confident using ADMX syntax.
(search for .admx sample files on Microsoft download sites).